cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3126
Views
0
Helpful
5
Replies

WEB_CAT User Notifications different for http and https

Hi,

We're using a AsyncOS7.5 on Ironport S360.

When a user accesses a URL which according to URL Category Filtering is forbidden

(e.g. www.mydrive.ch) then the Error Message when using http is:

--------------------

This  Page Cannot Be Displayed

Based on your organization's policies, access to this web site (http://www.mydrive.ch/ )

has been blocked because the web category .... is not allowed.

...

Date:

Username:

Source:

URL:

Category:

Reason:

Notification:

-----------------------------------------------------

If on the other hand the user uses https then the error message looks like this:

--------------------

The proxy server is refusing connections

Firefox is configured to use a proxy that is refusing connections.

- Check the proxy settings ...

- Contact your network administrator ...

-----------------------------------------------------

Does anyone know why is that and how can I make it use the former notification for both cases?

5 Replies 5

donnylee
Cisco Employee
Cisco Employee

Hi Jannis,

The reason why you see a notification page for blocked HTTP traffic is because the policy for HTTP is to "block" the URL.

In HTTPS traffic, the notification page does not appear because the policy is set to "drop" the traffic, not "block", hence the page is showing different response.

Hope this helps.

- donny

Hi Donny,

Many thanks for your answer.

Sounds reasonable what you're saying, though I can find where I can change the config

to not "drop" but "block" https requests.

And another point, which I forgot to mention, is that in the access log it says both times

that the BLOCK_WEBCAT_11 ACL Decicion Tag aplies, which makes me believe that both are "blocked" the same way...

And also with the Policy Tracer there's no difference, it says for both:

Request blocked

Details: Request blocked based on URL category

Thanks again

- jannis

Hi Jannis,

In HTTP policy or access policy, the returned log from a blocked traffic due to category is BLOCK_WEBCAT and you will also see a TCP_DENIED/403 in the line.

In decryption policy for HTTPS traffic, the returned log from a blocked traffic due to category is DROP_WEBCAT, and you will so see a TCP_DENIED/403 in the response.

With policy trace:

For HTTPS traffic it should reply with information that indicates that the HTTPS request dropped based on URL category.

And for HTTP traffic, it should reply with "Request blocked based on URL category"

Also, you can determine which policy that triggers the blocking, whether it is the access policy (for HTTP) or decryption policy (for HTTPS).

thanks,

Donny

Hi Donny,

Sorry for the late answer.

Now I understood the matter and I got the whole thing running!

There just were no https policies defined.

Thanks for your help again!

Jannis

You're welcome

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: